ritazh
commented
6 years ago Thanks for reporting this @smartpcr Can you pls share logs from /var/log/kv-driver.log from aks-nodepool1-33901137-2?
Closed smartpcr closed 6 years ago
ritazh
commented
6 years ago Thanks for reporting this @smartpcr Can you pls share logs from /var/log/kv-driver.log from aks-nodepool1-33901137-2?
smartpcr
commented
6 years ago log is attached:
ritazh
commented
6 years ago I see CLIENTID: .appId in the log. Was this redacted? can you pls share how you are creating the kvcreds k8s secret?
For your reference, from the README, to create the kvcreds k9s secret:
Add your service principal credentials as a Kubernetes secrets accessible by the KeyVault FlexVolume driver.
kubectl create secret generic kvcreds --from-literal clientid=<CLIENTID> --from-literal clientsecret=<CLIENTSECRET> --type=azure/kvI see correct secret (spn password) in the log, but not appId (should be 9a01914e-8bc1-427b-ad76-5197d3bb0a77). Here is what I did:
az ad sp create-for-rbac `
--name $bootstrapValues.kvSample.servicePrincipal `
--password $($servicePrincipalPwd.value)
$spn = az ad sp list --display-name $bootstrapValues.kvSample.servicePrincipal | ConvertFrom-Json$kvCredName = "kvcreds"
$spnPwdSecret = az keyvault secret show --vault-name $bootstrapValues.kv.name --name $bootstrapValues.kvSample.servicePrincipalPwd | ConvertFrom-Json
kubectl create secret generic $kvCredName --from-literal clientid=$spn.appId --from-literal clientsecret=$spnPwdSecret.value --type "azure/kv" Here is output describing secret:
kubectl describe secret kvcreds
Name: kvcreds
Namespace: default
Labels: <none>
Annotations:
Type: azure/kv
Data
====
clientid: 6 bytes
clientsecret: 215 bytesCan you set $spn.appId to a variable then run kubectl create?
$spnappid = $spn.appId
kubectl create secret generic $kvCredName --from-literal clientid=$spnappid --from-literal clientsecret=$spnPwdSecret.value --type "azure/kv" can you also verify that the clientid is correctly stored in the k8s secret, base64 --decode that returned value of clientid
smartpcr
commented
6 years ago here is the output of secret, client id is correct after decoding.
kubectl get secret kvcreds -o yaml
apiVersion: v1
data:
clientid: OWEwMTkxNGUtOGJjMS00MjdiLWFkNzYtNTE5N2QzYmIwYTc3
clientsecret: S2VkcUdSOWtabHA3ODRJRkRkV2pDYWxpOVppWTZHZG5yQ09McFBJMyFAMXdX
kind: Secret
metadata:
creationTimestamp: 2018-08-27T23:56:35Z
name: kvcreds
namespace: default
resourceVersion: "26465"
selfLink: /api/v1/namespaces/default/secrets/kvcreds
uid: d4d0e547-aa54-11e8-ad1b-1ec7bc63a04d
type: azure/kvYour suggestion fixed the problem!
$spnappid = $spn.appIdthanks for your help!
ritazh
commented
6 years ago @smartpcr glad it worked for you! Closing the issue. You should probably delete that SP since the secret has been shared here.
Here is the yaml file:
And it failed with the following error: Type Reason Age From Message
Normal Scheduled 4s default-scheduler Successfully assigned keyvault-demo to aks-nodepool1-33901137-2 Normal SuccessfulMountVolume 3s kubelet, aks-nodepool1-33901137-2 MountVolume.SetUp succeeded for volume "default-token-d52qb" Warning FailedMount 2s (x3 over 3s) kubelet, aks-nodepool1-33901137-2 MountVolume.SetUp failed for volume "secret-1" : mount command failed, status: Failure, reason: /etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume failed, -vaultObjectVersion is not set